Privacy Policy

Foldif ("we", "our", or "us") is a browser extension and web service that helps you highlight, annotate, and turn AI conversations into an exportable knowledge base across ChatGPT, Claude, and Gemini. Our website is located at foldif.com.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our extension or website. Please read it carefully. If you disagree with the terms, please discontinue use of our services.

Information you provide directly:

• Email address — when you create an account.
• Password — stored as a salted hash via Supabase Auth. We never see your plain-text password.
• Folder names, notes, highlights, and organization structure — stored locally first, optionally synced to our servers only when you enable cloud sync.

What we do NOT collect:

• The content of your AI conversations (messages, prompts, or AI responses) — these never pass through Foldif servers. When you use the Cross-LLM Re-ask feature with your own API keys, messages are sent directly from your browser to the respective LLM provider (Anthropic, OpenAI, or Google) and are never relayed through our servers.
• Your browsing history outside of the AI platforms Foldif supports.
• Any personally identifiable information beyond your email address.
• Your API keys for Anthropic, OpenAI, or Google — these are stored only in your browser's local storage and are sent exclusively to the respective provider's official API endpoint.

Automatically collected data:

• Device identifier (deviceId):A randomly generated anonymous ID stored in your browser's synced storage (tied to your Google Account, not to you personally). Used to enforce free-tier usage quotas and link your license across devices.
• Device fingerprint (for trial abuse prevention only): To prevent misuse of the free trial (e.g., repeated reinstalls to reset the trial), we compute a one-way hash of hardware signals including canvas rendering, WebGL renderer string, audio context characteristics, CPU core count, screen resolution, timezone, and browser language. This hash is never used for cross-user tracking, is not linked to your identity, and is only transmitted when the extension detects a significant hardware change during an active trial.
• Free-tier quota counters: When using the free plan, we sync anonymous counters (folder count, prompt library usage) to our servers alongside your deviceId and fingerprint hash to enforce plan limits. No conversation content is included.
• Install ping (one-time, on first activation): When you first see the welcome screen after installing Foldif, a single anonymous record is created capturing your IP address, browser locale, and install source (e.g., cws_install). It is used only to measure install volume and source attribution. It is not linked to your account, device fingerprint, or deviceId; never shared with third parties; never used for advertising; and automatically purged after 90 days.
• Standard server logs (IP address, browser type, timestamps) retained for up to 90 days for security purposes.

Foldif operates on a local-firstprinciple. Your folder structure, highlights, notes, bookmarks, TODOs, and conversation metadata are stored in your browser's local storage by default. Data is only synced to our servers when you explicitly enable cloud sync in settings (a Pro-tier feature).

This means: if you uninstall the extension without enabling sync, your local data is deleted from your device only. We have no copy of it.

Cloud sync encryption: When cloud sync is enabled, data is transmitted over TLS-encrypted HTTPS. Data is stored in our database in a readable format by default. If you set a personal passphrase in Foldif settings, your data will be client-side encrypted before upload (end-to-end encryption), and only you can decrypt it — we cannot read it. We strongly recommend enabling a passphrase for sensitive notes.

When you use the Share feature to create a public link for a conversation or highlight collection, the selected content is uploaded to our servers and assigned a unique URL. Anyone with the link can view it.

• Shared content may be indexed by search engines if the link is posted publicly.
• Revoking a share link disables public access immediately, but cached copies (e.g., in search engine indexes) may persist independently.
• Share link data is deleted from our servers when you revoke the link or delete your account.

Only share links you explicitly create — never share links containing sensitive or confidential information.

Foldif requests the minimum permissions necessary to function. Here is a plain-language explanation of each permission declared in our Chrome extension:

We do not use any of these permissions to read, collect, or transmit the content of your AI conversations. Conversation content never leaves your device through Foldif.

• To create and manage your account.
• To provide and maintain the extension's core features.
• To enforce free-tier usage limits using your anonymous device identifier and fingerprint hash.
• To prevent trial abuse (e.g., repeated reinstalls to extend the free trial period).
• To process your subscription via Paddle (our payment processor).
• To send you transactional emails (account confirmation, new feature notifications, receipts).
• To provide cloud backup and sync when you opt in (Pro tier).
• To comply with legal obligations.

We work with the following third-party services, each subject to their own privacy policies:

We do not share your data with advertising networks, data brokers, or any third party for marketing purposes.

We implement industry-standard security measures including:

• In transit: All data exchanged with our servers is encrypted via TLS (HTTPS).
• At rest: Our database (Supabase / PostgreSQL) uses encryption at rest. Row Level Security (RLS) policies ensure that each user can only access their own data.
• End-to-end encryption (optional): If you set a personal passphrase in Foldif settings, your synced data is encrypted client-side before upload. We cannot read it; only you hold the key.
• Authentication tokens: Your Supabase access token and refresh token are stored in your browser's local extension storage (not accessible by web pages). They are never transmitted to any domain other than foldif.com.
• Hashed passwords: Passwords are stored as salted hashes via Supabase Auth. We never see or store your plain-text password.

Despite these measures, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security.

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under GDPR:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate data.
• Erasure: Request deletion of your account and all associated data. You can also do this directly from your account settings within the extension.
• Restriction: Request that we restrict processing of your data in certain circumstances.
• Portability: Request an export of your data in a machine-readable format (JSON).
• Objection: Object to processing based on legitimate interests.

To exercise any of these rights, email us at privacy@foldif.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

We retain your data for as long as your account is active or as needed to provide our services.

• Account data (email, subscription status): retained until you request deletion.
• Cloud-synced folder data: retained until you request deletion or disable sync.
• Share link content: retained until you revoke the link or delete your account.
• Device fingerprint hashes: retained for 90 days after last activity, then automatically purged.
• Free-tier quota counters: retained until account deletion or 180 days of inactivity.
• Server logs: automatically deleted after 90 days.
• Payment records: retained for 7 years as required by applicable tax law (managed by Paddle).

Foldif is not directed at children under the age of 16. We do not knowingly collect personal information from children under 16. If you believe we have inadvertently collected such information, please contact us at privacy@foldif.com and we will delete it promptly.

We may update this Privacy Policy from time to time. We will notify you of any significant changes by email and by updating the "Last updated" date at the top of this page. Your continued use of Foldif after the effective date of any changes constitutes your acceptance of the updated policy.